Secured printing

ABSTRACT

Methods and apparatus to facilitate secured printing in a network environment. Imaging devices on the network are adapted to look for a security key associated with each print job or incoming data stream. If no security key is identified, an imaging device denies the print request, i.e., it accepts the print job and removes it from the print queue, but generates no tangible output. If a security key is identified, a request is sent to another device on the network containing a database of valid security keys in order to validate the identified key. If the other device validates the key, the imaging device generates the tangible output. Otherwise, it denies the print request.

TECHNICAL FIELD OF THE INVENTION

[0001] The present invention relates generally to methods and apparatusfor secured printing.

BACKGROUND OF THE INVENTION

[0002] Computer networks have greatly enhanced the ability of people andorganizations to work together through increased communications.However, this advance in communications also brings with it a greaterrisk of unauthorized loss of valuable information. A variety of securitymeasures have been adopted, such as isolated or secure networks, userpasswords, hardware keys, etc.

[0003] Despite security measures, an unauthorized user may gain accessto a network device. This unauthorized user may seek to create a hardcopy or tangible image of a file or other image on, or accessiblethrough, the breached network device. To protect against loss ofinformation, only authorized users should be able to generate thisoutput. As such, it is desirable to prohibit the generation of tangibleoutput by unauthorized users.

[0004] Tangible output in a network is generated by devices broadlyknown as imaging devices. Imaging devices include printers, plotters,multi-function devices and other devices used for applying an image to atangible print media, such as paper, transparencies, card stock andmore. The image is applied to the print media using a marking material,e.g., ink, ribbon, toner, or other means of applying an image to theprint media.

[0005] When a tangible output image is desired, image data is convertedinto a form usable by the destination imaging device, often called apage description. A variety of high-level page description languages(PDLs) provide information to the imaging device on how to recreate theimage. These PDLs are often device-independent languages, i.e., the sameimage data can be provided to devices of differing types and/ordiffering manufacturers to produce an end result that is substantiallythe same. Examples of PDLs include Printer Command Language or PCL-XL(Hewlett-Packard Company, Palo Alto, Calif., USA), PostScript® (AdobeSystems Incorporated, San Jose, Calif., USA) and Interpress (XeroxCorporation, Stamford, Conn., USA). In addition to containing datarepresentative of the desired output image, PDLs also generally containother information related to the control of the imaging device, e.g.,what media tray to pull print media from, what resolution to use,whether the output should be in color or black and white, etc.

[0006] To process these PDLs, imaging devices have what is oftenreferred to as a formatter. The formatter has a processor that isresponsive to a control program to convert the image data to a printableimage and to process the related control information. The controlprogram typically provides interpretation of the PDLs, charactergeneration, device emulation, interpretation of control tags and values,etc. The printable image is typically uncompressed raster or bitmapinformation that is supplied to another component of the imaging device,often referred to as a print engine. The print engine controls themechanical components of the imaging device to produce the tangibleoutput.

[0007] For the reasons stated above, and for other reasons stated belowthat will become apparent to those skilled in the art upon reading andunderstanding the present specification, there is a need in the art foralternative methods and apparatus for secured printing in a computernetwork.

SUMMARY

[0008] The various embodiments provide methods and apparatus tofacilitate secured printing in a network environment. Imaging devices onthe network are adapted to look for a security key associated with eachprint job or incoming data stream. If no security key is identified, animaging device denies the print request, i.e., it accepts the print joband removes it from the print queue, but generates no tangible output.If a security key is identified, a request is sent to another device onthe network containing a database of valid security keys in order tovalidate the identified key. If the other device validates the key, theimaging device generates the tangible output. Otherwise, it denies theprint request.

[0009] Further embodiments of the invention include apparatus andmethods of varying scope.

BRIEF DESCRIPTION OF THE DRAWINGS

[0010]FIG. 1 is a computer network in accordance with an embodiment ofthe invention.

[0011]FIG. 2 is a flowchart of one method of operating an imaging devicein accordance with an embodiment of the invention.

DETAILED DESCRIPTION

[0012] In the following detailed description of the present embodiments,reference is made to the accompanying drawings that form a part hereof,and in which is shown by way of illustration specific embodiments inwhich the invention may be practiced. These embodiments are described insufficient detail to enable those skilled in the art to practice theinvention, and it is to be understood that other embodiments may beutilized and that process, electrical or mechanical changes may be madewithout departing from the scope of the present invention. The followingdetailed description is, therefore, not to be taken in a limiting sense,and the scope of the present invention is defined only by the appendedclaims and equivalents thereof.

[0013] The various embodiments provide methods and apparatus tofacilitate secured printing in a network environment. Imaging devices onthe network are adapted to look for a security key associated with eachprint job or incoming data stream. If no security key is identified, animaging device denies the print request, i.e., it accepts the print joband removes it from the print queue, but generates no tangible output.If a security key is identified, a request is sent to another device onthe network containing a database of valid security keys in order tovalidate the identified key. If the other device validates the key, theimaging device generates the tangible output. Otherwise, it denies theprint request.

[0014] Others have proposed the use of security keys associated withprint jobs and matched against a database of valid security keysmaintained at each imaging device. If the incoming security key matchesa security key contained on the imaging device, the print request isgranted. The embodiments of the present invention provide for certainadvantages over the maintenance of security keys on each imaging device.For example, by maintaining a database of valid security keys on aremote device, one security key host device can service every imagingdevice on the network. In addition, a single host simplifies maintenanceas only one device needs to be updated if a revocation or addition of asecurity key is necessary. Furthermore, elimination of the database ofkeys within the imaging device frees up memory capacity to provideadditional features on the imaging device or allows the reduction ofmemory installed on the imaging device in providing the same features.

[0015]FIG. 1 is a computer network 105 in accordance with an embodimentof the invention. The network 105 may be coupled directly to a varietyof network devices, such as servers 110/115, computer workstations 125and network imaging devices 135. Other network devices may be coupled tothe network 105, albeit indirectly. Examples include terminals 120coupled to the network 105 through the server 115, imaging device 130coupled to the network 105 through computer workstation 125 b andhandheld device 145 coupled to the network 105 through computerworkstation 125 a. The connection between a network device and thenetwork 105 may be by a hardwired connection, a wireless connection, acombination or hardwired and wireless connections, or some othercommunication link. As an example, handheld device 145 is coupled to thecomputer workstation 125 a through a wireless communication link 150.The imaging devices 130 and 135 are adapted to deny print requests inthe absence of a valid security key in accordance with embodiments ofthe invention.

[0016] In general, to generate a tangible output, a print request isgenerated at some source device, such as terminals 120, computerworkstations 125 or handheld device 145. The operating system supportingthe source device uses a device driver to create an image pagedescription that is in a form usable by a destination imaging device.The use of device drivers as a translation mechanism between the imagesource device and the destination imaging device is well known and willnot be detailed herein. For use with embodiments of the invention, thedevice driver must be adapted to associate a security key with the imagepage description. Although outside the intent of this disclosure,modifying device drivers to associate a security key with the image pagedescription is within the abilities of persons of ordinary skill in theart of creating device drivers. The security keys should be encrypted toprevent network sniffers from seeing the actual key sequences. Inaddition, the security keys should be unique to either the image sourcedevice or a user logged onto the image source device. As one example,each image source device or user has a unique device driver to generateimage page descriptions associated with their respective security keys.As another example, each image source device or user uses the samedevice driver, but the device driver obtains the security key from theimage source device, which may be unique to a user of the image sourcedevice.

[0017]FIG. 2 is a flowchart of one method of operating an imaging devicein accordance with an embodiment of the invention. A print jobcontaining an image page description or other data stream containingimage data and control information is received at the imaging device at205. The image page description contains a security key identifying thesource image device or a user of the computer network containing theimaging device as described above. As an example, an image pagedescription generated using PCL-XL, a page description languagedeveloped by Hewlett-Packard Company, Palo Alto, Calif., USA, cancontain vendor unique tags with accompanying values. A device driver forthe imaging device would be adapted to generate the image pagedescription containing a tag identifying that what information followsis a security key. This accompanying value would have a predefinedformat such that the receiving device could know what part of theinformation following the tag is representative of the security key.

[0018] At 210, the imaging device determines whether a security key ispresent in the print job. Continuing the example, the formatter of theimaging device would be adapted to look for and recognize theappropriate tag. If a security key is not found, control is transferredto 230 and the print request is denied. In general, denial of the printrequest results in no tangible output being generated, i.e., the data isreceived at the imaging device, but the image data is not processed.Although the image data may be stored on the imaging device as it isreceived, it should not be retained in a format usable for generation ofa tangible output. For added security, each denial could be logged,along information representative of the source device or user, ifavailable. Such logs could be maintained at the imaging device.Alternatively, such logs could be maintained at another network devicein communication with the imaging device.

[0019] If a security key is found at 210, the key is extracted at 215.For example, upon detecting a tag known to identify a security key, theinformation following the tag is extracted from the image pagedescription by the formatter. For one embodiment where the security keyis encrypted, the formatter decrypts the key. For another embodimentwhere the security key is encrypted, the formatter extracts the key inits encrypted form.

[0020] At 220, the imaging device requests validation of the extractedsecurity key information from a remote device. The remote device, orsecurity key host device, can be any processor-based network device incommunication with the imaging device. For one embodiment, the securitykey host device is a network server. The security key host device shouldbe a well-known host on an encrypted channel.

[0021] The security key host device contains a database of valid keys.Query of the database should be by a secure protocol. If a match is madebetween the extracted security key information and the database of validkeys, the security key host device responds to the request with avalidation. If no match is made, the security key host device respondswith an indication that the key is invalid for the requesting imagingdevice. For one embodiment, the database of valid security keys isunique to each imaging device. For such an embodiment, the requestingimaging device would also supply information indicative of the identityof the requesting device. An example would include the IP address of therequesting imaging device. For embodiments where the request forvalidation sends encrypted security key information, the security keyhost device would decrypt the information prior to matching the key tothe database.

[0022] If the key is valid at 225, the print request is honored and theformatter processes the image page description to generate the printableimage for the print engine for generation of the tangible output. If theresponse from the security key host device indicates that the securitykey is invalid, or if no response is received from the security key hostdevice, the print request is denied at 230.

[0023] As noted earlier, if a print request is denied at 230, theimaging device will not generate a tangible output representative of thedesired image. The imaging device can simply consume the print job,i.e., it can accept the incoming data stream, but not process the imagedata. Alternatively, the imaging device can log the denied request. Thelogging information can be maintained on the destination imaging device.Alternatively, the logging information can be sent to another networkdevice, such as the security key host device. For one embodiment, thelogging information includes a copy of the denied print job and anindication of the source imaging device and/or the user making therequest. Such information can be useful to an administrator of thenetwork to track security breaches.

CONCLUSION

[0024] The various embodiments described herein provide methods andapparatus to facilitate secured printing in a network environment.Imaging devices on the network are adapted to look for a security keyassociated with each print job or incoming data stream. If no securitykey is identified, an imaging device denies the print request, i.e., itaccepts the print job and removes it from the print queue, but generatesno tangible output. If a security key is identified, a request is sentto another device on the network containing a database of valid securitykeys in order to validate the identified key. If the other devicevalidates the key, the imaging device generates the tangible output.Otherwise, it denies the print request.

[0025] Although specific embodiments have been illustrated and describedherein, it will be appreciated by those of ordinary skill in the artthat any arrangement that is calculated to achieve the same purpose maybe substituted for the specific embodiments shown. Many adaptations ofthe invention will be apparent to those of ordinary skill in the art.Accordingly, this application is intended to cover any such adaptationsor variations of the invention. It is manifestly intended that thisinvention be limited only by the following claims and equivalentsthereof.

What is claimed is:
 1. A method of generating tangible output from animaging device, comprising: receiving a print job at the imaging device,wherein the print job comprises a security key and image datarepresentative of a desired tangible output; generating a request fromthe imaging device directed to a remote device for validation of thesecurity key; generating the desired tangible output at the imagingdevice if the remote device validates the security key; and consumingthe print job at the imaging device without generating the desiredtangible output if the imaging device does not receive validation of thesecurity key.
 2. The method of claim 1, wherein the print job furthercomprises the security key in an encrypted form.
 3. The method of claim1, wherein generating a request further comprises sending the securitykey and information indicative of an identity of the imaging device tothe remote device.
 4. The method of claim 3, wherein at least thesecurity key is sent to the remote device in an encrypted form.
 5. Themethod of claim 1, wherein consuming the print job at the imaging devicefurther comprises receiving the print job at the imaging device withoutretaining data representative of the desired tangible output in a formatusable for generation of the desired tangible output.
 6. The method ofclaim 1, further comprising: logging a source device from which theprint job was received if no validation of the security key is received.7. The method of claim 6, wherein logging a source device furthercomprises logging the source device at the remote device.
 8. The methodof claim 7, further comprising: associating a copy of the print job withthe logged source device.
 9. A method of operating an imaging device,comprising: receiving a print job from a first external device; lookingfor a security key contained in the print job; if a security key is notfound in the print job, consuming the print job at the imaging devicewithout printing; and if a security key is found in the print job:requesting validation of the security key from a second external device;printing the print job if the security key is validated by the secondexternal device; and consuming the print job at the imaging devicewithout printing if the security key is not validated by the secondexternal device.
 10. The method of claim 9, further comprising:extracting the security key from the print job prior to requestingvalidation.
 11. The method of claim 10, further comprising: decryptingthe security key, if necessary, prior to requesting validation.
 12. Themethod of claim 9, wherein consuming the print job at the imaging devicewithout printing further comprises not processing image data containedin the print job.
 13. An imaging device, comprising: a print engine forgenerating tangible output from printable image data; and a formatterfor generating the printable image data from an image page description;wherein the imaging device is adapted to receive the image pagedescription from an image source device and to extract a security keyassociated with the image page description; wherein the imaging deviceis adapted to request validation of the extracted security key from anexternal database of security keys; and wherein the imaging device isadapted to deny generating the tangible output if either no security keyis associated with the image page description or no validation isreceived for the associated security key.
 14. The imaging device ofclaim 13, wherein the imaging device is further adapted to recognize atag within the image page description identifying a security key and torecognize that certain data following the tag is the security key. 15.The imaging device of claim 13, wherein the imaging device is furtheradapted to generate a log containing at least a source of an image pagedescription that is denied generation of tangible output.
 16. Theimaging device of claim 15, wherein the log is sent to an externaldevice.
 17. The imaging device of claim 16, wherein the external devicecontains the external database of security keys.
 18. A method ofoperating an imaging device, comprising: receiving a data stream from animage source device; analyzing the data stream for an embedded securitykey; extracting any embedded security key from the data stream; sendingthe extracted security key and information identifying the imagingdevice to a remote host for validation against a database of securitykeys contained on the remote host; waiting for a response from theremote host; and generating tangible output representative of the datastream only if a security key is extracted and the response from theremote host indicates that the security key is valid.
 19. The method ofclaim 18, further comprising: comparing the extracted security key andinformation identifying the imaging device to a set security keys fromthe database of security keys that are valid for the imaging device;generating a response indicative of a match if the extracted securitykey matches a security key in the database that is valid for the imagingdevice; and generating a response indicative of no match if theextracted security key does not match a security key in the databasethat is valid for the imaging device.
 20. The method of claim 18,wherein the remote host is a network server in communication with theimaging device.
 21. A printing system, comprising: a network; an imagesource device coupled to the network; a security key host device coupledto the network; and an imaging device coupled to the network; wherein aprint job received by the imaging device from the image source device isanalyzed by the imaging device for the presence of a security key;wherein the imaging device requests validation from the security keyhost device of any security key found in the print job; and wherein theimaging device prints the print job only if a security key is found inthe print job and the security key host device validates that securitykey to the imaging device.
 22. The printing system of claim 21, whereinthe imaging device requests validation by sending the security key andinformation identifying the imaging device to the security key hostdevice.
 23. The printing system of claim 21, wherein the imaging devicefurther logs the print job if printing of the print job is denied. 24.The printing system of claim 21, wherein the imaging device furthersends the print job and information identifying the image source deviceto the security key host device if printing of the print job is denied.25. The printing system of claim 21, wherein the security key hostdevice is a well-known host on an encrypted channel and wherein theimaging device requests validation by sending the security key andinformation identifying the imaging device to the security key hostdevice in an encrypted form across the encrypted channel.